7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f

General

Target

7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
Size

72KB
MD5

0189d11fef56258412711436079fb236
SHA1

a5e047bab2a836a7fbde9bc74712caa91fddee65
SHA256

7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f
SHA512

10653dd1c044541e9cb985459556c61d39ae45ad597d398ea02ede4418c11887a5de0fd71fd5f3b714c252a72e7006b3cccc98e523e7362fd60ca082cb70d2b6
SSDEEP

768:YkLyxhrNQ7/pkcJLXyzAEtSfPpf+drcAC8hhMOuSf+2ME9kv4FMLIWV2gXw:YyyF9MXUAasoQ8h2Zhak4SIWV2qw

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
4512	takeown.exe
4964	icacls.exe
4392	icacls.exe
3340	icacls.exe
2696	icacls.exe
2568	takeown.exe
1512	takeown.exe
628	takeown.exe
4204	icacls.exe
2228	icacls.exe
5020	icacls.exe
4788	takeown.exe
3100	icacls.exe
3160	icacls.exe
1732	takeown.exe
1772	takeown.exe
4192	icacls.exe
4592	takeown.exe
1872	icacls.exe
2952	takeown.exe
4292	icacls.exe
5004	takeown.exe
1836	takeown.exe
2016	takeown.exe
2568	takeown.exe
4968	icacls.exe
1220	takeown.exe
2008	icacls.exe
368	takeown.exe
4388	icacls.exe
4716	icacls.exe
1684	takeown.exe
4548	takeown.exe
2172	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2016	takeown.exe
4716	icacls.exe
1684	takeown.exe
4512	takeown.exe
2172	icacls.exe
2696	icacls.exe
3160	icacls.exe
4204	icacls.exe
1512	takeown.exe
4964	icacls.exe
1772	takeown.exe
1872	icacls.exe
3100	icacls.exe
2952	takeown.exe
4292	icacls.exe
1220	takeown.exe
4788	takeown.exe
4968	icacls.exe
5020	icacls.exe
4592	takeown.exe
4548	takeown.exe
1732	takeown.exe
3340	icacls.exe
4192	icacls.exe
5004	takeown.exe
368	takeown.exe
2228	icacls.exe
628	takeown.exe
2568	takeown.exe
2568	takeown.exe
4392	icacls.exe
2008	icacls.exe
1836	takeown.exe
4388	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
File created	C:\Windows\SysWOW64\skjc.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
File opened for modification	C:\Windows\SysWOW64\skjc.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4548	takeown.exe
Token: SeTakeOwnershipPrivilege	5004	takeown.exe
Token: SeTakeOwnershipPrivilege	368	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	4512	takeown.exe
Token: SeTakeOwnershipPrivilege	2568	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	1732	takeown.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	2568	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	628	takeown.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeTakeOwnershipPrivilege	2952	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

pid process

4936 7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

pid	process
4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe

description	pid	process	target process
PID 4936 wrote to memory of 4592	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4592	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4592	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1872	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 1872	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 1872	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4548	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4548	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4548	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 3100	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3100	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3100	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 5004	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 5004	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 5004	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2696	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2696	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2696	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 368	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 368	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 368	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 3160	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3160	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3160	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 1836	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1836	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1836	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4388	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4388	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4388	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4204	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4204	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4204	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2172	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2172	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2172	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 1512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1512	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4964	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4964	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4964	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 1732	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1732	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 1732	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4392	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4392	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 4392	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2016	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2016	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2016	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 3340	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3340	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 3340	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 2568	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	takeown.exe
PID 4936 wrote to memory of 4968	4936	7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe
"C:\Users\Admin\AppData\Local\Temp\7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\skjc.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4592

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\skjc.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1872

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3100

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2696

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3160

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4388

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4204

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2172

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4964

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4392

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3340

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4968

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2008

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2228

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4192

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\skjc.exe
Filesize
72KB

MD5
0189d11fef56258412711436079fb236

SHA1
a5e047bab2a836a7fbde9bc74712caa91fddee65

SHA256
7f4a62d4627207505489a7b33bc6bc067cb55a55f883d54a337dbd3bde5bcf4f

SHA512
10653dd1c044541e9cb985459556c61d39ae45ad597d398ea02ede4418c11887a5de0fd71fd5f3b714c252a72e7006b3cccc98e523e7362fd60ca082cb70d2b6

Download Submit
memory/368-141-0x0000000000000000-mapping.dmp

Download
memory/628-161-0x0000000000000000-mapping.dmp

Download
memory/1220-157-0x0000000000000000-mapping.dmp

Download
memory/1512-149-0x0000000000000000-mapping.dmp

Download
memory/1684-163-0x0000000000000000-mapping.dmp

Download
memory/1732-151-0x0000000000000000-mapping.dmp

Download
memory/1772-159-0x0000000000000000-mapping.dmp

Download
memory/1836-143-0x0000000000000000-mapping.dmp

Download
memory/1872-136-0x0000000000000000-mapping.dmp

Download
memory/2008-158-0x0000000000000000-mapping.dmp

Download
memory/2016-153-0x0000000000000000-mapping.dmp

Download
memory/2172-148-0x0000000000000000-mapping.dmp

Download
memory/2228-160-0x0000000000000000-mapping.dmp

Download
memory/2568-147-0x0000000000000000-mapping.dmp

Download
memory/2568-155-0x0000000000000000-mapping.dmp

Download
memory/2696-140-0x0000000000000000-mapping.dmp

Download
memory/2952-167-0x0000000000000000-mapping.dmp

Download
memory/3100-138-0x0000000000000000-mapping.dmp

Download
memory/3160-142-0x0000000000000000-mapping.dmp

Download
memory/3340-154-0x0000000000000000-mapping.dmp

Download
memory/4192-166-0x0000000000000000-mapping.dmp

Download
memory/4204-146-0x0000000000000000-mapping.dmp

Download
memory/4292-168-0x0000000000000000-mapping.dmp

Download
memory/4388-144-0x0000000000000000-mapping.dmp

Download
memory/4392-152-0x0000000000000000-mapping.dmp

Download
memory/4512-145-0x0000000000000000-mapping.dmp

Download
memory/4548-137-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/4716-162-0x0000000000000000-mapping.dmp

Download
memory/4788-165-0x0000000000000000-mapping.dmp

Download
memory/4964-150-0x0000000000000000-mapping.dmp

Download
memory/4968-156-0x0000000000000000-mapping.dmp

Download
memory/5004-139-0x0000000000000000-mapping.dmp

Download
memory/5020-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads